Critical RCE Vulnerabilities Identified in HPE’s Aruba Networking Access Points

November 7, 2024

Hewlett Packard Enterprise (HPE) has issued updates to mitigate two critical vulnerabilities identified in its Aruba Networking Access Points. These security flaws, if exploited, could enable a remote attacker to perform unauthenticated command injection. This can be achieved by sending specially crafted packets to Aruba's Access Point management protocol (PAPI) over UDP port 8211. The vulnerabilities, identified as CVE-2024-42509 and CVE-2024-47460, have been given severity scores of 9.8 and 9.0 respectively. Both vulnerabilities exist within the command line interface (CLI) service, which is accessed via the PAPI protocol.

In addition to these two critical flaws, the update also addresses four other security vulnerabilities. All six vulnerabilities affect AOS-10.4.x.x: 10.4.1.4 and older versions, Instant AOS-8.12.x.x: 8.12.0.2 and below, and Instant AOS-8.10.x.x: 8.10.0.13 and older versions. HPE has highlighted in its security advisory that several more versions of the software that have reached their End of Maintenance dates are also impacted by these flaws, and no security updates will be provided for them.

To combat these vulnerabilities in Aruba Networking Access Points, HPE advises users to update their devices to the latest software versions. HPE has also offered workarounds for all six flaws to assist in cases where software updates cannot be immediately installed. For the two critical flaws, the suggested workaround is to limit or block access to UDP port 8211 from all untrusted networks. For the remaining issues, the vendor recommends limiting access to the CLI and web-based management interfaces by positioning them on a dedicated layer 2 segment or VLAN, and to regulate access with firewall policies at layer 3 and above, which would restrict potential exposure.

At this time, no active exploitation of these vulnerabilities has been observed. However, the application of these security updates and/or mitigations is strongly recommended.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.